WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




PCT 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification 5 : 
H04K 1/00 



A2 



(11) International Publication Number: WO 94/26044 

(43) International Publication Date: 10 November 1994 (10.11.94) 



(21) International Application Number: PCT/US94/04325 

(22) International Filing Date: 19 April 1994 (19.04.94) 



(30) Priority Data: 
08/049,929 



19 April 1993 (19.04.93) 



US 



(71)(72) Applicant and Inventor: MICALE, Silvio [US/US]; 459 
Chestnut Hill Avenue, Brookline, MA 02146 (US). 

(74) Agent: JUDSON, David, H.; Hughes & Luce, 1717 Main 
Street, Suite 2800, Dallas, TX 75201 (US). 



(81) Designated States: European patent (AT, BE, CH, DE, DK, 
ES, FR, GB, GR, IE, IT, LU, MC, NL, FT, SE). 



Published 

Without international search report and to be republished 
upon receipt of that report. 



(54) Title: FAIR CRYPTOSYSTEMS AND METHODS OF USE 

(57) Abstract 

A method, using a 
public-key cryptosystem, 
for enabling a predetermined 
entity to monitor 
communications of users 
suspected of unlawful 
activities while protecting 
the privacy of law-abiding 
users, wherein each user is 
assigned a pair of matching 
secret and public keys. 
According to the method, 
each user* s secret key is 
broken into shares. Then, 
each user provides a plurality 
of "trustees" pieces of 
information. The pieces of 
information provided to each 
trustee enable that trustee to 
verify that such information 
includes a "share" of a 
secret key of some given 
public key. Each trustee 
can verify that the pieces of 
information provided include 
a share of the secret key 

without interaction with any other trustee or by sending messages to the user. Upon a predetermined request or condition, e.g., a court 
order authorizing the entity to monitor the communications of a user suspected of unlawful activity, the trustees reveal to the entity the 
shares of the secret key of such user. This enables the entity to reconstruct the secret key and monitor the suspect user's communications. 




* 



ID: <WO 9426044A2_I_> 



FOR THE PURPOSES OF INFORMATION ONLY 

Codes used to identify States party to the PCT on the front pages of pamphlets publishing international 
applications under the PCT. 



AT 


Austria 


GB 


United Kingdom 


MR 


Mauritania 


AU 


Australia 


GE 


Georgia 


MW 


Malawi 


BB 


Barbados 


GN 


Guinea 


NE 


Niger 


BE 


Belgium 


GR 


Greece 


NL 


Netherlands 


BF 


Burkina Faso 


HTJ 


Hungary 


NO 


Norway 


BG 


Bulgaria 


IE 


Ireland 


NZ 


New Zealand 


BJ 


Benin 


IT 


Italy 


PL 


Poland 


BR 


Brazil 


JP 


Japan 


PT 


Portugal 


BY 


Belans 


KE 


Kenya 


RO 


Romania 


CA 




KG 


KyrgyBtan 


RU 


Russian Federation 


CF 


Central African Republic 


KP 


Democratic People's Republic 


SD 


Sudan 


CG 


Congo 




of Korea 


SE 


Sweden 


CH 


Switzerland 


KR 


Republic of Korea 


SI 


Slovenia 


CI 


Cote d' I voire 


KZ 


Kazakhstan 


SK 


Slovakia 


CM 


Cameroon 


LI 


Liechtenstein 


SN 


Senegal 


CN 




LK 


Sri Lanka 


TD 


Chad 


cs 


Czechoslovakia 


LU 


Luxembourg 


TG 


Togo 


cz 


Czech Republic 


LV 


Latvia 


TJ 


Tajikistan 


DE 


Germany 


MC 


Monaco 


TT 


Trinidad and Tobago 


DK 


Denmark 


MD 


Republic of Moldova 


UA 


Ukraine 


ES 


Spain 


MG 


Madagascar 


US 


United States of America 


FI 


Finland 


ML 


Mali 


uz 


Uzbekistan 


FR 


France 


MN 


Mongolia 


VN 


Viet Nam 


GA 


Gabon 











BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



-1- 



PCT/US94/04325 



FAIR CRYPTOSYSTEMS AND METHODS OF USE 

TECHNICAL FIELD 

The present invention relates generally to 
cryptosystems and more particularly to methods for 
enabling a given entity to monitor communications of 
5 users suspected of unlawful activities while 
protecting the privacy of law-abiding users, 
BACKGROUND OF THE INVENTION 

In a single-key cryptosystem a common secret 
key is used both to encrypt and decrypt messages. 

10 Thus only two parties who have safely exchanged such 
a key beforehand can use these systems for private 
communication. This severely limits the 
applicability of single-key systems. 

In a double-key cryptosystem, the process of 

15 encrypting and decrypting is instead governed by 
different keys. In essence, one comes up with a 
pair of matching encryption and decryption keys. 
What is encrypted using a given encryption key can 
only be decrypted using the corresponding decryption 

20 key. Moreover, the encryption key does not "betray" 
its matching decryption key. That is, knowledge of 
the encryption key does not help to find out the 
value of the decryption key. The advantage of 
double-key systems is that they can allow two 

25 parties who have never safely exchanged any key to 

privately communicate over an insecure communication 
line (i.e., one that may be tapped by an 
adversary) . They do this by executing an on-line, 
private communication protocol. 

30 In particular, Party A alerts Party B that he 

wants to talk to him privately. Party B then 
computes a pair of matching encryption and 
decryption keys (E B , D B ) . B then sends A key E B . 
Party A now encrypts his message m, obtaining the 

35 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



ciphertext c = E B (m) , and sends c to B over the 
insecure channel. B decrypts the ciphertext by 
computing m - D B (cj . If an adversary eavesdrops all 
communication between A and B, he will then hear 
5 both B's encryption key, E B , and A's ciphertext, c. 
However, since the adversary does not know B*s 
decryption key, D B , he cannot compute m from c. 

The utility of the above protocol is still 
quite limited since it suffers from two drawbacks. 

10 First, for A to send a private message to B it is 
necessary also that B send a message to A, at least 
the first time. In some situations this is a real 
disadvantage. Moreover, A has no guarantee (since 
the line is insecure anyway) that the received 

15 string D B really is B's encryption key. Indeed, it 
may be a key sent by an adversary, who will then 
understand the subsequent, encrypted transmission. 

An ordinary public-key cryptosystem ("PRC") 
solves both difficulties and greatly facilitates 

20 communication. Such a system essentially consists 
of using a double-key system in conjunction with a 
proper key management center. Each user X comes up 
with a pair of matching encryption and decryption 
keys (E x , 3D X ) of a double-key system. He keeps D x 

25 for himself and gives E x to the key management 

center. The center is responsible for updating and 
publicizing a directory of correct public keys for 
each user, that is, a correct list of entries of the 
type (X, E x ) . For instance, upon receiving the 

30 request from X to have E x as his public key, the 

center properly checks X's identity, and (digitally) 
signs the pair (X, E x ) , together with the current 
date if every encryption key has a limited 
validity. The center publicizes E x by distributing 

35 the signed information to all users in the system. 
This way, without any interaction, users can send 



3NSDOCID: <WO 9426044A2_L> 



WO 94/26044 



PCT/US94/04325 



each other private messages via their public, 
encryption key that they can look up in the 
directory published by the center. The identity 
problem is also solved, since the center's signature 
5 of the pair (X, E x ) guarantees that the pair has 
been distributed by the center, which has already 
checked X's identity. 

The convenience of a PKC depends on the key 
management center. Because setting up such a center 

10 on a grand scale requires a great deal of effort, 
the precise protocols to be followed must be 
properly chosen. Moreover, public-key cryptography 
has certain disadvantages. A main disadvantage is 
that any such system can be abused, for example, by 

15 terrorists and criminal organizations who can use 

their own PKC (without knowledge of the authorities) 
and thus conduct their illegal business with great 
secrecy and yet with extreme convenience. 

It would therefore be desirable to prevent any 

20 abuse of a public key cryptosystem while maintaining 
all of it's lawful advantages. 
BRIEF SUMMARY OF THE INVENTION 

It is an object of the present invention to 
provide methods for enabling a given entity, such as 

25 the government, to monitor communications of users 
suspected of unlawful activities while at the same 
time protecting the privacy of law-abiding users. 

It is a further object of the invention to 
provide such methods using either public or private 

30 key cryptosystems . 

It is a still further object of the invention 
to provide so-called "fair" cryptosystems wherein an 
entity can monitor communications of suspect users 
only upon predetermined occurrences, e.g., the 

35 obtaining of a court order. 



BNSDOCID: <WO 9426044A2J_> 



WO 94/26044 



PCT/US94/04325 



It is another object to describe methods of 
constructing fair cryptosystems for use in such 
communications techniques. 

In one embodiment, these and other objects of 
5 the invention are provided in a method, using a 
public-key cryptosystem, for enabling a 
predetermined entity to monitor communications of 
users suspected of unlawful activities while 
protecting the privacy of law-abiding users, wherein 

10 each user is assigned a pair of matching secret and 
public keys- According to the method, each user's 
secret key is broken into shares. Then, each user 
provides a plurality of "trustees" pieces of 
information. The pieces of information provided to 

15 each trustee enable that trustee to verify that such 
information includes a "share" of a secret key of 
some given public key. Further, each trustee can 
verify that the pieces of information provided 
include a share of the secret key without 

20 interaction with any other trustee or by sending 

messages to the user. Upon a predetermined request 
or condition, e.g., a court order authorizing the 
entity to monitor the communications of a user 
suspected of unlawful activity, the trustees reveal 

25 to the entity the shares of the secret key of such 
user to enable the entity to reconstruct the secret 
key and monitor the suspect user's communications. 

The method can be carried out whether or not 
the identity of the suspect user is known to the 

30 trustees, and even if less than all of the shares of 
the suspect user's secret key are required to be 
revealed in order to reconstruct the secret key. 
The method is robust enough to be effective if a 
given minority of trustees have been compromised and 

35 cannot be trusted to cooperate with the entity. In 
addition, the suspect user's activities are 



8NSDOC1D: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



characterized as unlawful if the entity, after 
reconstructing or having tried to reconstruct the 
secret key, is still unable to monitor the suspect 
user • s communications . 
5 According to another more generalized aspect of 

the invention, a method is described for using a 
public-key cryptosystem for enabling a predetermined 
entity to monitor communications of users suspected 
of unlawful activities while protecting the privacy 

10 of law-abiding users. The method comprises the step 
of "verifiably secret sharing" each user's secret 
key with a plurality of trustees so that each 
trustee can verify that the share received is part 
of a secret key of some public key. 

15 The foregoing has outlined some of the more 

pertinent objects of the present invention. These 
objects should be construed to be merely 
illustrative of some of the more prominent features 
and applications of the invention. Many other 

20 beneficial results can be attained by applying the 
disclosed invention in a different manner or 
modifying the invention as will be described. 
Accordingly, other objects and a fuller 
understanding of the invention may be had by 

25 referring to the following Detailed Description of 
the preferred embodiment. 
BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the 
present invention and the advantages thereof, 

30 reference should be made to the following Detailed 
Description taken in connection with the 
accompanying drawings in which: 

FIGURE 1 is a simplified diagram of a 
communications system over which a government entity 

35 desires to monitor communications of users suspected 
of unlawful activities; and 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



FIGURE 2 is a block diagram of a preferred 
hierarchy of entities that may use the methods of 
the present invention to monitor communications of 
users suspected of unlawful activities. 
5 DETAILED DESCRIPTION 

FIGURE 1 represents a simple communications 
system 10 comprising a telephone network connected 
between a calling station 12 and a called station 
14. One or more local central offices or telephone 

10 switches 16 connect telephone signals over the 

network in a well-known fashion. Referring now also 
to FIGURE 2, assume that a government entity, such 
as local law enforcement agency 18, desires to 
monitor communications to and/or from calling 

15 station 12 because the user of such calling station 
is suspected of unlawful activity. Assume further 
that the user of the calling station 12 communicates 
using a PKC. Following accepted legal practices, 
the agency 18 obtains a court order from court 20 to 

20 privately monitor the line 15. According to the 
present invention, the agency's is able to monitor 
the line 15 while at the same time the privacy 
rights of other law-abiding users of the network are 
maintained. This is accomplished as will be 

25 described by requiring that each user "secret share" 
the user's secret key (of the PKC) with a plurality 
of trustees 22a... 22n. 

According to the invention, a "fair" PKC is a 
special type of public r key cryptosystem. Every user 

30 can still choose his own keys and keep secret his 
private one; nonetheless, a special agreed-upon 
party (e.g., the government), and solely this party, 
under the proper circumstances envisaged by the law 
(e.g., a court order), and solely under these 

35 circumstances, is authorized to monitor all messages 
sent to a specific user. A fair PKC improves the 



WO 94/26044 



PCT/US94/04325 



-7- 



security of the existing communication systems 
(e.g., the telephone service 10) while remaining 
within the constraints of accepted legal procedures. 
In one embodiment, fair PRC's are constructed 
5 in the following general way. Referring now to 
FIGURES 1-2, it is assumed that there are five (5) 
trustees 22a... 22e and that the government desires, 
upon receiving a court order, to monitor the 
telephone communications to or from the calling 

10 station 12. Although the above-description is 

specific, it should be appreciated that users of the 
communications system and trustees may be people or 
computing devices. It is preferable that the 
trustees are chosen to be trustworthy. For 

15 instance, they may be judges (or computers 

controlled by them), or computers specially set up 
for this purpose.. The trustees, together with the 
individual users, play a crucial role in deciding 
which encryption keys will be published in the 

20 system. 

Each user independently chooses his own public 
and secret keys according to a given double-key 
system (for instance, the public key consists of the 
product of two primes, and the secret key one of 

25 these two primes). Since the user has chosen both 
of his keys, he can be sure of their "quality" and 
of the privacy of his decryption key. He then 
breaks his secret decryption key into five special 
"pieces" (i.e., he computes from his decryption key 

30 5 special strings/numbers) possessing the following 
properties : 

(1) The private key can be reconstructed given 
knowledge of all five, special pieces; 

35 



BNSDOCID: <WO 9426044A2_1_> 



WO 94/26044 



PCT/US94/04325 



-8- 

(2) The private key cannot be guessed at all 

if one only knows (any) 4, or less, of the 
special pieces ; 

5 (3) For i-1,. v . . 5, the i-th special piece 

can be individually verified to be correct . 

Given all 5 special pieces or "shares", one can 
verify that they are correct by checking that they 

10 indeed yield the private decryption key. According 
to one feature of the invention, property (3) 
insures that each special piece can be verified to 
be correct (i.e., that together with the other 4 
special pieces it yields the private key) 

15 individually, i.e., without knowing the secret key 
at all and without knowing the value of any of the 
other special pieces. 

The user then privately (e.g., in encrypted 
form) gives trustee 22i his own public key and the 

20 i-th piece of its associated secret key. Each 

trustee 22 individually inspects his received piece, 
and, if it is correct, approves the public key (e.g. 
signs it) and safely stores the piece relative to 
it. These approvals are given to a key management 

25 center 24, either directly by the trustees, or 

(possibly in a single message) by the individual 
user who collects them from the trustees. The 
center 24, which may or may not coincide with the 
government, itself approves (e.g., signs) any public 

30 key that is approved by all trustees. These 

center-approved keys are the public keys of the fair 
PKC and they are distributed and used for private 
communication as in an ordinary PKC. 

Because the special pieces of each decryption 

35 key are privately given to the trustees, an 

adversary who taps the communication line of two 



WO 94/26044 



PCT/US94/04325 



users possesses the same information as in the 
underlying, ordinary PKC. Thus if the underlying 
PKC is secure, so is the fair PKC. Moreover, even 
if the adversary were one of the trustees himself, 
5 or even a cooperating collection of any four out of 
five of the trustees, property (2) insures that the 
adversary would still have the same information as 
in the ordinary PKC. Because the possibility that 
an adversary corrupts five out of five judges is 

10 absolutely remote, the security of the resulting 
fair PKC is the same as in the underlying PKC. 

When presented with a court order, for example, 
the trustees 22 reveal to the government 20 the 
pieces of a given decryption key in their 

15 possession. According to the invention, the 

trustees may or may not be aware of the identity of 
the user who possesses the given decryption key. 
This provides additional security against 
"compromised" trustees who might otherwise tip off 

20 the suspect user once a request for that user's 
decryption key share is received by the trustee. 

Upon receiving the shares, the government 
reconstructs the given decryption key. By property 
(3) , each trustee previously verified whether he was 

25 given a correct special piece of a given decryption 
key. Moreover, every public key was authorized by 
the key management center 24 only if it was approved 
by all trustees 22. Thus, the government is 
guaranteed that, in case of a court order, it will 

30 be given all special pieces of any decryption key. 
By property (1), this is a guarantee that the 
government will be able to reconstruct any given 
decryption key if necessary to monitor 
communications over the network. 

35 Several types of fair PKC's are now described 

in more detail. 



BNSDOCID: <WO 9426044A2_L> 



WO 94/26044 



PCT/US94/04325 



Diffie and Hellman's PKC : 

The Diffie ana Hellman public-key cryptosystem 
is known and is readily transformed into a fair PKC 
by the present invention. In the Diffie and Hellman 
5 scheme, each pair of users X and Y succeeds, without 
any interaction, in agreeing upon a common, secret 
key S X y to be used as a conventional single-key 
cryptosystem. In the ordinary Dif f ie-Hellman PKC, 
there are a prime p and a generator (or high-order 

10 element) g common to all users. User X secretly 

selects a random integer Sx in the interval [1, p-1] 
as his private key and publicly announces the 
integer Px = g Sx mod p as his public key. Another 
user, Y, will similarly select Sy as his private key 

15 and announce Py = g s ^ mod p as his public key. The 
value of this key is determined as S xy « g SxS Y mod 
p. User X computes Sxy by raising Y's public key to 
his private key mod pX, and user Y by raising X*s 
public key to his secret key mod p. In fact: 

20 

(gSx } Sy . g SxSy . Sxy . g SySx . {g Sy)Sx mod ?b 

While it is easy, given g, p and x, to compute y «= 
g x mod p, no efficient algorithm is known for 

25 computing, given y and p, x such that g x «= y mod p 
when g has high enough order. This is the discrete 
logarithm problem. This problem has been used as 
the basis of security in many cryptosystems . The 
Diffie and Hellman's PKC is transformed into a fair 

30 one in the following manner. 

Each user X randomly chooses 5 integers Sxl, 
. . . Sx5 in the interval [1, p-1] and lets Sx be 
their sum mod p. It should be understood that all 
following operations are modulo p. User X then 

3 5 computes the numbers: 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



-11- 



tl « g Sxl , . . . , t5=g Sx5 and Px = g Sx . 

Px will be User X's public key and Sx his private 
key. The ti's will be referred to as the public 
5 pieces of Px, and the Sxi ' s as the private pieces. 
It should be noted that the product of the public 
pieces equals the public key Px- In fact: 

tl ... t5 - g Sxl ... g Sx5 = g(Sxl+... 
10 +Sx5) . g Sx. 

Let Tl,. . . T5 be the five trustees. User X now 
gives Px, the public pieces and Sxl to trustee Tl, 
Px, the public pieces and Sx2 to trustee T2 , and so 

15 on. Piece Sxi is privately given to trustee Ti . 

Upon receiving public and private pieces ti and Sxi, 
trustee Ti verifies whether g Sxi = Ti . If so, the 
trustee stores the pair (Px, Sxi), signs the 
sequence (Px , tl , t2 , t3 , t4 , t5 ) and gives the signed 

20 sequence to the key management center 24 (or to user 
X, who will then give all of the signed public 
pieces at once to the key management center) . Upon 
receiving all the signed sequences relative to a 
given public key Px, the key management center 

25 verifies that these sequences contain the same 

subsequence of public pieces tl...t5 and that the 
product of the public pieces indeed equals Px. If 
so, center 24 approves Px as a public key and 
distributes it as in the original scheme (e.g., 

30 signs it and gives it to user X). The encryption 

and decryption instructions for any pair of users X 
and Y are exactly as in the Diffie and Hellman 
scheme (i.e., with common, secret key Sxy) . 
This way of proceeding matches the 

35 previously-described way of constructing a fair 
PKC. A still fair version of the Dif f ie-Hellman 



BNSDOCID: <WO 9426044A2J_> 



WO 94/26044 



PCT/US94/04325 



scheme can be obtained in a simpler manner by having 
the user give to each trustee Ti just the public 
piece ti and its corresponding private piece Sxi, 
and have the user give the key management center the 
5 public key Px. The center will approve Px only if 
it receives all public pieces, signed by the proper 
trustee, and the product of these public pieces 
equals Px. In this way, trustee Ti can verify that 
Sxi is the discrete logarithm of public piece ti. 

10 Such trustee cannot quite verify that Sxi is a 
legitimate share of Px since the trustee has not 
seen Px or the other public pieces. Nonetheless, 
the result is a fair PKC based on the Dif f ie-Hellman 
scheme because properties (l)-(3) described above 

15 are still satisfied. 

Either one of the above-described fair PKC has 
the same degree of privacy of communication offered 
by the underlying Dif f ie-Hellman scheme. In fact, 
the validation of a public key does not compromise 

20 the corresponding private key. Each trustee Ti 
receives, as a special piece, the discrete 
logarithm, Sxi, of a random number, ti. This 
information is clearly irrelevant fr computing the 
discrete logarithm of Px. The same is actually true 

25 for any 4 of the trustees taken together, since any 
four special pieces are independent of the private 
decryption key Sx. Also the key management center 
does not possess any information relevant to the 
private key; i.e., the discrete logarithm of Px. 

30 All the center has are the public pieces 

respectively signed by the trustees. The public 
pieces simply are 5 random numbers whose product is 
Px . This type of information is irrelevant for 
computing the discrete logarithm of Px; in fact, any 

35 one could choose four integers at random and setting 
the fifth to be Px divided by the product of the 



BNSDOCID: <WO____9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



-13- 

first four. The result would be integral because 
division is modulo p. As for a trustee's signature, 
this just represents the promise that someone else 
has a secret piece. 
5 Even the information in the hands of the center 

together with any four of the trustees is irrelevant 
for computing the private key Sx. Thus, not only is 
the user guaranteed that the validation procedure 
will not betray his private key, but he also knows 

10 that this procedure has been properly followed 

because it is he himself that computes his own keys 
and the pieces of his private one. 

Second, if the key management center validates 
the public key Px, then its private key is 

15 guaranteed to be reconstructable by the government 
in case of a court order. In fact, the center 
receives all 5 public pieces of Px, each signed by 
the proper trustee. These signatures testify that 
trustee Ti possesses the discrete logarithm of 

20 public piece ti. Since the center verifies that the 
product of the public pieces equals Px, it also 
knows that the sum of the secret pieces in storage 
with the trustees equals the discrete logarithm of 
Px; i.e, user X's private key. Thus the center 

25 knows that, if a court order were issued requesting 
the private key of X, the government is guaranteed 
to obtain the needed private key by summing the 
values received by the trustees. 
RSA F 9 ir PKC : 

30 The following describes a fair PKC based on the 

known RSA function. In the ordinary RSA PKC, the 
public key consists of an integer N product of two 
primes and one exponent e (relatively prime with 
f(N), where F is Euler's quotient function). No 

35 matter what the exponent, the private key may always 
be chosen to be N's factorization. By way of brief 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



-14- 



background, the RSA scheme has certain 
characteristics that derive from aspects of number 
theory: 

Fact 1. Let Z N * denote the multiplicative 
5 group of the integers between 1 and N and relatively 
prime with N. If N is the product of two primes 
N«pg (or two prime powers: N=p a p b ), then 

(1) a number s in Z N * is a square mod N if and only 
10 if it has four distinct square-roots mod N : x, 

-x mod N, y, and -y mod N (i.e., x 2 = y 2 = s 
mod N) . Moreover, from the greatest common 
divisor of + -x + -y and N, one easily computes 
the factorization of N. Also; 

15 

(2) one in four of the numbers in Z N * is a square 
mod N. 

Fact 2. Among the integers in Z N * is defined a 

20 function, the Jacobi symbol, that evaluates easily 
to either 1 or -1. The Jacobi symbol of x is 
denoted by (s/N) . The Jacobi symbol is 
multiplicative; i.e., (x/N)(Y/N) « (xy/N) . If N is 
the product of two primes Nt=pq (or two prime powers: 

25 N=p a p b ) , the p and 1 are congruent to 3 mod 4. 

Then, if + -x and + -y are the four square roots of 
a square mod N (s/N)=(-x/N)=+l and (y/N) = (-y/N) 
«-l. Thus, because of Fact 1, if one is given a 
Jacobi symbol 1 root and a Jacobi symbol -1 root of 

30 any square, he can easily factor N. 

With this background, the following describes 
how the RSA cryptosystem can be made fair in a 
simple way. For simplicity again assume there are 
five trustees and that all of them must collaborate 

35 to reconstruct a secret key, while no four of them 
can even predict it. The RSA cryptosystem is easily 



BNSDOCID: <WO 9426044A2J_> 



WO 94/26044 



PCT/US94/04325 



-15- 

converted into a fair PKC by efficiently sharing 
with the trustee's N's factorization. In 
particular, the trustees are privately provided 
information that, perhaps together with other given 
5 common information, enables one to reconstruct two 
(or more) square roots x and y (x different from +y 
mod N) of a common square mod N. The given common 
information may be the -1 Jacobi symbol root of X 2 , 
which is equal to y. 

10 A user chooses P and Q primes congruent to 3 

mod 4, as his private key and N = PQ as his public 
key. Then he chooses 5 Jacobi 1 integers X 2 / 
X 3 , X 4 and X^ (preferably at random) in Z N * and 
computes their product, X, and X^ 2 mod N for all i = 

15 1, ... ,5, The product of the last 5 squares, Z, 
is itself a square. One square root of Z mod N is 
X, which has Jacobi symbol equal to 1 (since the 
Jacobi symbol is multiplicative). The user computes 
Y , one of the Jacobi -1 roots mod N. Xj, . . . X 5 

20 will be the public pieces of public key N and the 
X^ ' s the private pieces. The user gives trustee Ti 
private piece X^ (and possibly the corresponding 
public piece, all other public pieces and Px, 
depending oh whether it is desired that the 

25 verification of the shares so as to satisfy 

properties (1)— (3) is performed by both trustees and 
the center, or the trustees alone) . Trustee Ti 
squares Xi mod N, gives the key management center 
his signature of X^ 2 , and stores X^ . 

30 The center first checks that (-1/N)=1, i.e., 

for all x: (x/N) = (-x/N). This is partial evidence 
that N is of the right form. Upon receiving the 

alid signature of the public pieces of N and the 
Jacobi -1 value Y from the user, the center checks 

35 whether mod N the square of Y equals the product of 
the five public pieces. If so, it checks, possibly 



BNSDOCID: <WO _9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



with the help of the user, that N is the product of 
two prime powers. If so, the center approves N. 

The reasoning behind the scheme is as follows. 
The trustees' signatures of the X-^'s (mod N) 
5 guarantee the center that every trustee Ti has 

stored a Jacobi symbol 1 root of X^ 2 mod N. Thus, 
in case of a court order, all these Jacobi symbol 1 
roots can be retrieved. Their product, mod N, will 
also have Jacobi symbol 1, since this function is 

10 multiplicative, and will be a root of X 2 mod N . But 
since the center has verified that Y 2 » X 2 mod N, 
one would have two roots X and Y of a common square 
mod N. Moreover, Y is different from X since it has 
different Jacobi symbol, and Y is also different 

15 from -x, since (-x/N) = (s/N) because (a) (-1/N) has 
been checked to be 1 and (b) the Jacobi symbol is 
multiplicative. Possession of such square roots, by 
Facts 1 and 2, is equivalent to having the 
factorization of N, provided that N is product of at 

20 most two prime powers. This last property has also 
been checked by the center before it has approved N . 

Verification that N is the product of at most 
two prime powers can be performed in various ways. 
For instance, the center and user can engage in a 

25 zero-knowledge proof of this fact. Alternatively, 

the user may provide the center with the square root 
mod N for roughly 1/4 of the integers in a 
prescribed and random enough sequence of integers. 
For instance, such a sequence could be determined by 

30 one-way hashing N to a short seed and then expanding 
it into a longer sequence using a psuedo-random 
generator. If a dishonest user has chosen his N to 
be the product of three or more prime powers, then 
it would be foolish for him to hope that roughly 1/4 

35 of the integers in the sequence are squares mod N. 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



-17- 

In fact, for his choice of N, at most 1/8 of the 

integers have square roots mod N. 

Variations 

The above schemes can be modified in many 
5 ways. For instance, the proof that N is product of 
two prime powers can be done by the trustees (in 
collaboration with the user), who then inform the 
center of their findings. Also, the scheme can be 
modified so that the cooperation of the majority of 

10 the trustees is sufficient for reconstructing the 
secret key, while any minority cannot gain any 
information about the secret key. Also, as with all 
fair cryptosystems , one can arrange that when the 
government asks a trustee for his piece of the 

15 secret key of a user, the trustee does not learn 

about the identity of the user. The variations are 
discussed in more detail below. 

In particular, the schemes described above are 
robust in the sense that some trustees, accidentally 

20 or maliciously, may reveal the shares in their 

possession without compromising the security of the 
system. However, these schemes rely on the fact 
that the trustees will collaborate during the 
reconstruction stage. In fact, it was insisted that 

25 all of the shares should be needed for recovering a 
secret key. This requirement may be 
disadvantageous, either because some trustees may 
reveal to be untrustworthy and refuse to give the 
government the key in their possession, or because, 

30 despite all file backups, the trustee may have 

genuinely lost the information in its possession. 
Whatever the reason, in this circumstance the 
reconstruction of a secret key will be prevented. 
This problem is also solved by the present invention. 

35 By way of background, "secret sharing" (with 

parameters n,T,t) is a prior cryptographic scheme 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



consisting of two phases: in phase one a secret 
value chosen by a distinguished person, the dealer, 
is put in safe storage with n people or computers, 
the trustees, by giving each one of them a piece of 
5 information. In phase two, when the trustees pool 
together the information in their possession, the 
secret is recovered. Secret sharing has a major 
disadvantage — it presupposes that the dealer gives 
the trustees correct shares (pieces of information) 

10 about his secret value. "Verifiable Secret Sharing" 
(VSS) solves this "honesty" problem. In a VSS 
scheme, each trustee can verify that the share given 
to him is genuine without knowing at all the shares 
of other trustees of the secret itself. 

15 Specifically, the trustee can verify that, if T 
verified shares are revealed, the original secret 
will be reconstructed, no matter what the dealer or 
dishonest trustees might do. 

The above-described fair PKC schemes are based 

20 on a properly structured, non-interactive verifiable 
secret sharing scheme with parameters n=5, T=5 and 
t*=4. According to the present invention, it may be 
desirable to have different values of these 
parameters, e.g., n=5, T=3 and t=2 . In such case, 

25 any majority of the trustees can recover a secret 
key, while no minority of trustees can predict it 
all. This is achieved as follows (and be simply 
generalized to any desired values of n, T and t in 
which T>t) . 

3 0 Subset Method for the Dif f ie-Hellman Scheme : 

After choosing a secret key Sx in [1, p-1] , 
user X computes his public key Px = g^ x mod p (with 
all computations below being mod p) . User X now 
considers all triplets of numbers between 1 and 5: 

35 (1,2,3), (2,3,4) etc. For each triplet (a,b,c), 
user X randomly chooses three integers Slabc, 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



-19- 

S3abc in the interval [1, p-1] so that their sum mod 
p equals Sx. Then he computes the numbers: 

tlabc « g Slabc # t2abc „ g S2ab C/ t 3abc«g S3abc 

5 

The tiabc's will be referred to as public pieces of 
Px, and the Siabc's as private pieces. Again, the 
product of the public pieces equals the public key 
Px. In fact, 

10 

tlabc- -t2abc — t3abc = gSlabc . g S2abc . gS3abc _ 
m g ( Slabc + _ + S3ab C) = g Sx = Px 

User X then gives trustee Ta tlabc and Slabc, 

15 trustee Tb t2abc and S2abc, and trustee Tc t3abc and 
S3abc, always specifying the triplet in question. 
Upon receiving these quantities, trustee Ta (all 
other trustees do something similar) verifies that 
tlabc = gSlabc^ s i gn s the value (Px, tlabc, (a,b,c)> 

20 and gives the signature to the management center. 

The key management center, for each triple 
(a,b,c), retrieves the values tlabc, t2abc and t3abc 
from the signed information received from trustees, 
Ta, Tb and Tc. If the product of these three values 

25 equals Px and the signatures are valid, the center 
approves Px as a public key. 

The reason the scheme works, assuming that at 
most 2 trustees are untrustworthy, is that all 
secret pieces of a triple are needed for computing 

30 (or predicting) a secret key. Thus no secret key in 
the system can be retrieved by any 2 trustees. On 
the other hand, after a court order at least three 
trustees reveal all the secret pieces in their 
possession about a given public key. The government 

35 then has all the necessary secret pieces for at 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



least one triple, and thus can compute easily the 
desired secret key. 

Alternatively, each trustee is replaced by a 
group of new trustees. For instance, instead of a 
5 single trustee Ta, there may be three trustees: Tal, 
Ta2 and Ta3. Each of these trustees will receive 
and check the same share of trustee Ta . In this way 
it is very unlikely that all three trustees will 
refuse to surrender their copy of the first share. 

10 After having insured that a few potentially 

malicious trustees cannot prevent reconstruction of 
the key, there are still further security issues to 
address, namely, a trustee — requested by a court 
order to surrender his share of a given secret key 

15 — may alert the owner of that key that his 

communications are about to be monitored* This 
problem is also solved by the invention* A simple 
solution arises if the cryptosystem used by the 
trustees possess certain algebraic properties. This 

20 is illustrated for the Dif f ie-Hellman case, though 
the same result occurs for the RSA scheme. In the 
following discussion, for simplicity it is assumed 
that all trustees collaborate in the reconstruction 
of the secret key. 

2 5 Oblivious and Fair Dif f ie-Hellman Scheme : 

Assume that all trustees use deterministic RSA 
for receiving private messages. Thus, let Ni be the 
public RSA modulus of trustee Ti and ei his 
encryption exponent (i.e., to send Ti a message m in 

30 encrypted form, one would send m ei mod Ni) . 

User U prepares his public and secret key, 
respectively Px and Sx (thus Px = g Sx mod p) , as 
well as his public and secret pieces of the secret 
key, respectively ti and Sxi • s (thus Px « tl, t2 ... 

35 t5 mod p and ti = g Sxi mod p for all i) . Then, the 
user gives to the key management center Px, all of 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



FCTVUS94/04325 



-21- 

the ti's and the n values Ui « (Sxi) 3 mod Ni; i.e., 
he encrypts the i-th share with the public key of 
trustee Ti . Since the center does not know the 
factorization of the Ni's, this is not useful 
5 information to predict Sx, nor can the center verify 
that the decryption of the n ciphertexts are proper 
shares of Sx. For this, the center will seek the 
cooperation of the n trustees, but without informing 
them of the identity of the user as will be 

10 described. 

The center stores the values tj's and U j ' s 
relative to user U and then forwards Ui and ti to 
trustee Ti . If every trustee Ti verified that the 
decryption of Ui is a proper private piece relative 

15 to ti, the center approves Px. 

Assume now that the judicial authority decides 
to monitor user U*s communications. To lawfully 
reconstruct secret key Sx without leaking to a 
trustee the identity of the suspected user U, a 

20 judge (or another authorized representative) 

randomly selects a number Ri mod Ni and computes yi 
= Ri e * mod Ni, Then, he sends trustee Ti the value 
zi « Ui-yi mod Ni , asking with a court order to 
compute and send back wi, the ei-th root of zi mod 

25 Ni. Since zi is a random number mod Ni, no matter 

what the value of Ui is, trustee Ti cannot guess the 
identity of the user U in question. Moreover, since 
zi is the product of Ui and yi mod Ni, the ei-th 
root of zi is the product mod Ni of the ei-th root 

30 of Ui (i.e., Sxi) and the ei-th root of yi (i.e., 

Ri). Thus, upon receiving wi , the judge divides it 
by yi mod Ni, thereby computing the desired Sxi. 
The product of these Sxi • s equals the desired Sx. 
Further variations: 

35 In other variations of the invention, in case 

of a court order, the government is only authorized 



BNSDOC1D: <WO 9426044A2_L> 



WO 94/26044 



PCT/US94/04325 



to understand the messages concerning a given user 
for a limited amount of time. The collective 
approval of all trustees may stand for the 
government approval. Also, trustees need not store 
5 their piece of the private key. The encryption of 
this piece — in the trustee's public key and signed 
by the trustee — can be made part of the user's 
public key. In this way, the public key carries the 
proof of its own authenticity and verification. In 

10 the latter case it may be advantageous to break the 
trustee's private keys into pieces. 

If the user is an electronic device, such as an 
integrated circuit chip, the basic process of key 
selection and public-key validation can be done 

15 before the device leaves the factory. In this case, 
it may be advantageous that a "copy" of the trustee 
can be maintained within the factory. A copy of a 
trustee is a physically secure chip — one whose 
data cannot be read — containing a copy of the 

20 trustee's decryption key. The trustee (i.e., the 
party capable of giving the piece of a private key 
under a court order) need not necessarily coincide 
with this device. 

In another variation, it may be arranged that 

25 the trustees each a have piece of the government 
private key, and that each user's private key is 
encrypted with the public key of the government. 

While the use of a fair PKC in a 
telecommunications network (and under the authority 

30 of the government) has been described, such 

description is not meant to be taken by way of 
limitation. A fair PKC can be used in private 
organizations as well. For example, in a large 
organization where there is a need for privacy, 

35 assume there is an established "superior" but not 
all employees can be trusted since there are too 



BNSDOCID: <WO _9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



many of them* The need for privacy requires the use 
of encryption. Because not all employees can be 
trusted, using a single encryption key for the whole 
company is unacceptable, as is using a number of 
5 single-key cryptosystems (since this would generate 
enormous key-distribution problems) . Having each 
employee use his own double-key system is also 
dangerous, since he or she might conspire against 
the company with great secrecy, impunity and 

10 convenience. 

In such application of a fair PKC, numerous 
advantages are obtained. First, each employee is in 
charge of choosing his own keys. While enjoying the 
advantages of a more distributed procedure, the 

15 organization retains absolute control because the 
superior is guaranteed to be able to decrypt every 
employee's communications when necessary. There is 
no need to change keys when the superior changes 
because the trustees need not be changed. The 

20 trustees' storage places need less surveillance, 
since only compromising all of them will give an 
adversary any advantage. 

For making fair a private key cryptosystem, but 
also for a PKC, it is desirable that each trustee 

25 first deposits an encrypted version or otherwise 

committed version of his share, so that, when he is 
asked to reveal what his share was, he cannot change 
his mind about its value. Also, it is desirable 
that the user gives his shares to the trustees 

30 signed; such signatures can be relative to a 
different public key (if they are digital 
signatures) or to the same new public key if the new 
key can be used for signing as well. In this way, 
the share revealed by the trustee clearly proves 

35 that it way originated. Better still, the user may 
sign (with the trustee's key) the encryption of the 



BNSDOCID: <WO .9426044A2J_> 



WO 94/26044 



PCT/US94/04325 



share given to a trustee, and the signature can be 
revealed together with the share. This approach 
insures that one can both be certain that what was 
revealed was a share approved by the user and also 
5 that the trustees and the user cannot collaborate 
later on in changing its value. 

As stated above, it may be desirable to use the 
fair PKC for time-bounded eavesdropping. A more 
specific description of such techniques is now 

10 described. For the purposes of example only, the 
following discussion presumes that the monitoring 
takes place over a telephone system, although of 
course the invention is not so limited. Currently, 
if no encryption is used, when a proper court order 

15 is given the authorities (such as the state or 
federal authorities) can and are is allowed to 
monitor the conversations of a suspected user. 
However, if this court-authorized line tapping and 
other investigative procedures do not show any 

20 wrongdoing, this monitoring will stop (or at least 
will stop being legal) . This restores the privacy 
of the erroneously-suspected user. Thus, currently, 
the citizens must trust the Government that (1) no 
line-tapping is initiated with a proper court order, 

25 and (2) a legitimately-initiated court order is 

terminated when the court decides so. If a fair PKC 
is used to encrypt all communications, then the 
citizens need not trust the Government with respect 
to the former point. The same guarantee does not, 

30 however, hold for the latter consideration. In 
fact, once the authorities have reconstructed a 
user's secret key in response to a proper court 
order, the citizens must still trust (rather than be 
certain) that the reconstructed secret key will be 

35 forgotten and destroyed, so that no further 

line-tapping can continue after the Court says so. 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



-25- 

According to the invention, fair PKC ' s are enhanced 
so that guarantee also property 2, that is, by- 
allowing time-bounded monitoring. 

In one embodiment, time-bounded 
5 court-authorized eavesdropping uses secure chips 
(i.e., chips whose memory — or parts of it — 
cannot be read from the outside, and cannot be 
tampered with) . One method can now be described. 
Assume that a proper court order is issued to tap 

10 the line of user X from February to April, Since 

the messages traveling along X's line are encrypted, 
the authorities will make use of a chip to decode 
them. Assume that the chip is secure and capable of 
receiving encrypted messages from the trustees. For 

15 instance, the chip possesses a public encryption key 
PC and a corresponding secret decryption key SC. 
While PC may be universally known, and is in 
particular known to the trustees, SC is safely 
stored within the chip, and actually known only to 

20 the chip itself (e.g., because it is the secure chip 
that has generated both PC and SC) . After receiving 
the court order, each trustee sends a message 
(preferably digitally signed) to the chip consisting 
of the share of user X's secret key in his 

25 possession, after encrypting it via PC. Since the 
chip possesses SC, it easily computes all necessary 
shares of X's secret key, and thus the secret key 
itself. The court will also provide the chip with a 
(preferably signed) message consisting of, say 

30 "decode, X, February-April." (Alternatively, the 

time interval can be specified in the message of the 
trustees, since they learned it from the Court 
anyway.) Since the chip has an internal clock, it 
can easily decrypt all X f s messages relative to the 

35 prescribed time period. Afterwards, user X*s secret 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



key will be destroyed. Thus, to allow further 
line-tapping, a new court order would be required. 

Time-bounded eavesdropping also can be 
implemented by having each user choose different 
5 secret keys when he enters the system. This method 
can actually be quite practical if the court 
authorizes eavesdropping for convenient 
time-intervals; for instance, "integral 
month-multiples." In this case, each user, at the 

10 beginning of the year (or of the decade, or ... ) 

chooses 12 secret keys, SK^ , - . . , ^ K 12 ' together with 
their corresponding public keys, PK 1# . . . ,PK 12 . Each 
pair of keys is associated to a determined month — 
e.g., SKj, and PK-^ are Januarys keys. The user 

15 then follows the procedure of a fair PKC so that 
, each trustee receives (and can actually verify to 
have received) the correct piece of each secret 
key. This only entails sending each trustee a 
12-time longer message than before, and having each 

20 trustee perform 12-times more computation. But both 
these operations are quite simple and need to be 
done only once per year (per decade, etc.). Like 
before, after the trustees inform the government 
that they have been given their respective pieces 

2 5 for each of the months, the government approves the 
user's public keys. This can be done in several 
ways. For instance, the government can digitally 
sign each public key individually — e.g., for user 
X and for the month of March, it will sign the 

30 triplet (X,3,PK3). Thus, though the "one-time" 

message that user X sends to each trustee when she 
enters the system is longer, the public key that she 
needs to send to another user Y (before she can have 
a private conversation with him) is as short as 

35 before. For instance, if X wants to communicate 
with Y in March, she needs only to send Y the 



BNSDOCID: <WO _9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



-27- 

government signature of (X,3,K 3 ). User Y (or his 
computer) will inspect that this signature is valid 
and that the current month is March. If so, he will 
use K 3 to communicate to X, Thus, if the Court 
5 authorizes eavesdropping for the months of February, 
March, and April, the trustees only reveal their own 
pieces of the secret keys of those months. The 
authorities will have no help in understanding 
conversations outside this time interval. 

10 In the pre-chosen secret key method described 

above, each user selected and properly shared with 
the trustees as many secret keys of a PKC as there 
are possible transmission "data" (in the above 
example, each possible month). Within each 

15 specified date, the same public-secret key pair was 
used for communicating with every other user. 

It is customary to use public keys only to 
transmit secure session keys, which are then used to 
encrypt messages by means of a conventional 

20 single-key system. These session keys are usually 

unigue to the pair of users in guestion and the date 
of transmission. Indeed, each minute or second can 
be considered a different date, and thus there may 
be a different session key for every transmission 

25 between two users. Actually, the date, which can be 
sent in the clear, preferably may just be any 
progressive number identifying the transmission, but 
not necessarily related to physical time. 
Time-bounded court-authorized monitoring can also be 

30 achieved in this traditional setting. In 

particular, preferably session keys are chosen 
algorithmically (so that the trustees can compute 
each desired session key from information received 
when users- enter the system), but unpredictably (so 

3 5 that, though some session keys may become known — 
e.g., because of a given court order — the other 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



session keys remain unknown). Using this approach, 
one can develop many enhanced fair PRC's, for 
instance based on RSA and the Dif f ie-Hellman 
cryptosystems , so as to exploit advantageously their 
5 algebraic structure. 

By way of still further background, assume that 
there is a court order to tap the conversations of 
user X between dates Dl and D2, and that user X at 
date D (in the specified time interval) communicates 

10 with user Y . If the time-bounded fair PKC requires 
the police to contact the trustees specifying the 
triplet (X, Y, D) in order to understand X's 
communication/ the scheme might be considered 
somewhat impractical because the police would flood 

15 the trustees with continuous requests. An improved 
scheme would allow the police to contact the 
trustees only once, specifying only X, Y, and Dl and 
D2 , in order to understand all the communications 
between X and Y at any date D in that time 

20 interval. Since, however, there may be quite a 

number of users Y, the trustees still risk of being 
flooded with requests from the police. A still 
better scheme allows the police to go to the 
Trustees only once, specifying X Dl and D2 , in order 

25 to understand all communications involving X in that 
time interval. 

The following is an efficient solution to the 
last scenario (although it should be appreciated 
that all of the above scenarios are within the scope 

30 of this invention and that "intermediate" solutions 
can be easily derived from it). 

Assume that X is a user of a fair PKC F. When X 
wants to initiate a secret conversation with Y at 
date D, she computes a secret session key SXDY and 
35 sends it to Y using F (i.e., encrypts it with Y's 
public key in F) . User Y then computes his secret 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



session key SYDX and sends it to X after encrypting 
it with the received secret key SXDY (by means of an 
agreed-upon conventional cryptosystem) . User X then 
sends SYDX to Y by encrypting it with SXDY. After 
5 this handshaking, throughout the session, X sends 
messages to Y conventionally encrypted with SXDY, 
and Y sends messages to X via SYDX . (If anyone 
spots that the other disobeys the protocol the 
communication is automatically terminated, and an 

10 alarm signal may be sent to a proper place,) Thus 

in this example, though X and Y will understand each 
other perfectly, they will not be using a common, 
conventional key. Notice that if the police know 
SXDY (respectively, SYDX), it will also know SYDX 

15 (respectively, SXDY). 

Assume now that the court authorizes tapping 
the lines of user X from date Dl to date D2 , and 
that a conversation occurs at a time D in the time 
interval [Dl, D2] between X and Y. The idea is to 

20 make SXDY available to the police in a convenient 

manner, since knowledge of this quantity will enable 
the police to understand X's out-going and in-coming 
messages, independently of who between X and Y 
initiated the call. To make SXDY conventionally 

25 available to the Police, we will make it easily 

computable on input SXD, a master secret key that X 
uses for computing his own session key at date D 
with every other user. For instance, SHDY = 
H(SXD,Y), where H is a secure (possibly hashing) 

30 function. 

Since there may be many dates D in the desired 
interval, however, we make sure that SXD is easily 
computable from a short string, SX[D1,D2], and that 
short string is itself immediately computable from 

35 some short string that the police receive from the 
trustees when they are presented with the court 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 PCT/US94/04325 



-30- 



order "tap X from Dl to D2." For instance, in a 
3-out-of-3 case, if SXi [01,02] denotes the 
information received by the police from trustee i in 
response to the court order: 

5 

SX[D1,D2] = H(SX1[D1,D2] , SX2[D1,D2], SX3 [Dl , D2 ] ) , 

where H is a secure (possibly hashing) function. 
Letting SX^ be the value originally given to trustee 

10 i by user X when she entered the system (i.e., X 

gives SXi to trustee i together with the i-th piece 
of her own secret key in the fair PKC F) , SXi[Dl,D2] 
should easily depend on SXi . An effective choice of 
SXi, SXi[Dl,D2], and SX[D1,D2], and SXD is then 

15 made. Assume that there are 2 d possible dates. 

Imagine a binary tree with 2 d leaves, whose nodes 
have n-bit identifiers — where n=0,...,d. Quantity 
SXi[Dl,D2] is computed from SXi by storing a value 
at each of the nodes of the tree. The value stored 

20 at the root, node Ne (where c is the empty word), is 
SX^ . Then a secure function G is evaluated on value 
SXi so as to yield two values, SXiO and SXil. 
Preferably the function is such that the value SXi 
is unpredictable given SXiO and SXil. (For 

25 instance, SXi is a random k-bit value and G is a 
secure pseudo-random number generator that, using 
SXi as a seed, outputs 2k bits: the first k will 
constitute value SXiO, the second k value SXil.) 
Value SXiO is then stored in the left child of the 

30 root (i.e., it is stored in node NO) and value SXil 
is stored in the right child of the root (node Nl) . 
The values of below nodes in the tree are computed 
using G and the value stored in their ancestor in a 
similar way. Let SXiD be the value stored in leaf D 

35 (where D is a n-bit date) . If Dl < D2 are n-bit 
dates, then assume that a node N controls the 



iNSDOCID: <WO_^___9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



-31- 



interval [D1,D2] if every leaf in the tree that is a 
descendant of N belongs to [D1,D2] , while no proper 
ancestor of N has this property- 
Then, if SXi[Dl,D2] consists of the (ordered) 
sequence of values stored in the nodes that control 
[D1,D2]: 

1. SXi[Dl,D2] is quite short (with respect to 
the interval [01,02]) , and 

2. For each date D in the interval [01,02], 
the value SXiD stored in leaf D is easily 
computable from SXi[Dl,D2], and 



15 3* The value stored at any leaf not belonging 

to [01,02] is not easily predictable from 
SXi[Dl,D2] . 



10 



20 



Thus, if: 



SXD m H(SX1D, SX2D, SX3D) 



where H is a secure (preferably hashing) function, 
and each user X chooses the values SXi ' s 
25 (sufficiently) randomly and (sufficiently) 

independently, the scheme has all the desired 
properties. In particular: 

a, user X computes SXD very efficiently for 
30 every value of D; 

b. when presented with a court order to tap 
the line of user X between dates 01 and 
D2, each trustee i quickly computes 

35 SXi[Dl,D2]. (In fact, he does not need to 

compute all values in the 2 n -node tree, 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



-32- 



but only those of the nodes in control 
[D1,D2]); 

c. Having received SXi[Dl,D2] from every 
5 trustee i, the police can, very quickly 

and without further interaction with the 
trustees , compute : 

SXiD from SXi [01,02] for every date D 
10 in the specified interval (in fact; 

its job is even easier since the 
SXiD's are computed in order and 
intermediate results can be stored) 

15 the master secret-session key SXD 

from the SXiD's, and 

the session key SXDY from SXD from 
any user Y talking to X in the 
20 specified time interval. 

Note that both X's out-going and in-coming messages 
will be understood by the police, but no message 
sent or received before or after the time-interval 
25 specified by the court order will be intelligible to 
the police (unless a new proper court order is 
issued) . 

Of course, like in any fair PKC, users may not 
compute the session keys as above (for instance, by 

3 0 not using the standard equipment approved by the 
Government). This is easily detectable if X's 
conversations do not become understandable after a 
court order has been issued and the trustees have 
provided their information. Not using the right 

35 session keys, however, does not enable malicious 
users to abuse the government approved system F 



BNSDOCID: <WO 9426044A2J > 



WO 94/26044 



PCT/US94/04325 



easily. In fact, it can be part of the protocol 
that when it becomes evident that a given user X 
maliciously does not use the proper session keys, 
the court orders the reconstruction of user X's 
5 secret key in F — which is possible since F is a 
fair PKC. Thus, users who maliciously tamper with 
the session keys can be tapped automatically, at any 
date, without any additional court order . 

A fair PKC has advantages even if the people 

10 who do not use them are not punished. Fair PKC's 

may be much more useful, however, if the government 
can determine whether a given cryptogram has been 
generated in the prescribed fair manner without any 
court order. That is, it would be desirable that 

15 the government, without understanding the messages 
exchanged (even because they are not fairly 
generated, or because they are fairly generated but 
no court order has been issued to tap the line of a 
given user) can tell whether they are generated in a 

20 fair way, that is, whether it would be capable of 
understanding them in case of a court order. 

The following describes a technique for 
achieving this property. As will be seen, this 
technique may be applied to encryption devices that 

25 may or may not work in conjunction with a PKC or a 
fair PKC. 

This technique again uses secure chips or other 
portable data carrier devices that include protected 
memory. Assume that each user has a secure chip or 

30 device that implements a fair PKC or any 

government-approved encryption algorithm. Each 
device will contain at least an encryption or 
decryption key for communicating with other users. 
In addition it will contain another key, KG, that is 

35 known to the government, but not to the user, since 
KG is inside the secure chip. Assume know that the 



BNSDOCiD: <WO_____9426044A2J_> 



WO 94/26044 



PCT/US94/04325 



user includes a terminal that commutes a message M 
which includes a ciphertext generated according to 
the government-approved algorithm. Prior to 
outputting N, the user's terminal applies a given 
5 function H (preferable a secure hashing one) to M so 
as to generate H(M) . Then the device outputs both M 
and the encryption of H (M) with KG, that is E 
(KG , H(M) ) . 

Assume now that the government, without wishing 

10 to understand the cleartext contained in M, wants to 
determine whether M was generated in an approved 
manner. Then all it has to do is apply H to M, so 
as to compute H(M) and then encrypt the result with 
KG and check whether the string E (KG,H(M) ) sent by 

15 the user's device equals the value so computed. The 
user does not lose any privacy by this operation, 
since H(M) does not reveal the cleartext in M. 

It should be noticed that KG need not be known 
to the Government, so long as the Government is 

20 assured that it pertains to a Government-approved 

device. Note further that if H itself is unknown to 
the user, there is no need to encrypt(M) with KG at 
all. Moreover, the user, even if she does not know 
H(M) , need not worry about H(M) somehow containing a 

25 second encrypted version of the cleartext in M 

(which might be decodable by the government without 
any court order and without her knowledge) . In 
fact, if H is chosen to be hashing, then H(M) is 
short, and no short string can possibly reveal the 

30 longer cleartext contained in M, which the user 
wishes to remain private. 

It should be appreciated by those skilled in 
the art that the specific embodiments disclosed 
above may be readily utilized as a basis for 

35 modifying or designing other techniques and 

processes for carrying out the same purposes of the 



BNSDOCID: <WO 9426044A2_L> 



WO 94/26044 



PCT/US94/04325 



present invention. It should also be realized by 
those skilled in the art that such equivalent 
constructions do not depart from the spirit and 
scope of the invention as set forth in the appended 
5 claims* 



10 



15 



20 



25 



30 



BNSDOCID: <WO 9426044A2J_> 



WO 94/26044 



PCT/US94/04325 



-36- 

CLAIMS 

What is claimed is: 

5 1. A method, using a public-key cryptosystem, 

for enabling a predetermined entity to monitor 
communications of users suspected of unlawful 
activities while protecting the privacy of 
law-abiding users, wherein each user is assigned a 
10 pair of matching secret and public keys, comprising 
the steps of : 

breaking each user's secret key into shares; 
providing trustees pieces of information 
enabling the trustees to verify that the pieces of 
15 information include shares of a secret key of some 
given public key; and 

upon a predetermined request, having the 
trustees reveal the shares of the secret key of a 
user suspected of unlawful activity to enable the 
20 entity to attempt reconstruction of the secret key; 
and 

monitoring communications to the suspect user 
during a time period specified in the predetermined 
request • 

25 

2. A method for revealing a user's secret 
value, comprising the steps of: 

having trustees hold pieces of information, 
wherein a piece of information includes a share of 
30 secret value; and 

upon a predetermined request, having a given 
number of trustees each reveal the piece of 
information that includes the share of the secret 
value to enable the entity to reconstruct the secret 
35 value at a prescribed time specified in the 
predetermined request . 



BNSDOCID; <WO _9426044A2J_> 



WO 94/26044 



PCT/US94/04325 



3, A method/ using a crypto system, for 
enabling a predetermined entity to monitor 
communications of users suspected of unlawful 
activities while protecting the privacy of 
5 law-abiding users, comprising the steps of: 

having trustees hold pieces of information that 
are guaranteed to include shares of a secret 
decryption key; 

upon a predetermined request, having the 
10 trustees send information to a secure device having 
its own internal clock; and 

using the secure device to enable the entity to 
monitor communications to a suspect user for an 
amount of time as specified in the predetermined 
15 request . 

4* A method, using a given cryptosystem, for 
enabling a predetermined entity to verify that a 
user is sending messages encrypted by means of a 
20 secure device implementing the given cryptosystem, 
wherein the secure device contains a secret key 
known to the entity, comprising the steps of: 

having the secure device use the given 
cryptosystem to generate a first string, the first 
25 string being an encryption of a message; 

having the secure device use the secret key to 
generate a second string that guarantees to the 
entity that the first string was generated with the 
given cryptosystem* 

30 

5. A method, using a cryptosystem, for 
enabling a predetermined entity to confirm that 
users of a system exchange messages encrypted 
according to a predetermined algorithm, comprising 
35 the steps of: 



BNSDOCID; <WO 9426044A2J_> 



WO 94/26044 



PCT/US94/04325 



-38- 



providing each user in the system with a secure 
chip containing at least one secret key unknown to 
the user; and 

having the user send encrypted messages using 
5 the secure chip; and 

with each encrypted message sent by a user, 
having the secure chip also send a data string, 
computed using the secret key, to guarantee the 
entity that the encrypted message was generated by 
10 the secure chip using the predetermined algorithm. 

6. The method as described in Claim 5 further 
including the steps of: 

providing trustees with pieces of information 
15 including shares of a secret key; and 

upon a predetermined request, having a given 
number of trustees send information including shares 
of the secret key to allow the entity to monitor 
communications to a suspect user. 

20 



25 



30 



35 



BNSDOCID: <WO 9426044A2_I_> 



WO 94/26044 



PCT/US94/04325 



1/1 



FIG. 1 



12 






TOLL 
NETWORK 




CENTRAL 
OFFICE 






CENTRAL 
OFFICE 







14 




16 



12 




15 



22o- 



I 



TE 



I 



FIG. 2 



COMMUNICATIONS SYSTEM 



I 



TE 
I 



KEY MANAGEMENT CENTER 








COURT 





14 




TV 



22e 



I 



J-24 



■20 



BNSDOCID: <WO 9426044A2_I_> 



WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




PCT 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) Internationa] Patent Classification 5 
H04K 1/00 



A3 



(11) International Publication Number: WO 94/26044 

(43) International Publication Date: 10 November 1994 (10.1 1.94) 



(21) International Application Number: PCT/US94/04325 

(22) International Filing Date: 19 April 1994 (19.04.94) 



(30) Priority Data: 

08/049,929 



19 April 1993 (19.04.93) 



US 



(71X72) Applicant and Inventor: MICAU, Silvio [US/US]; 459 
Chestnut Hill Avenue, Brookline, MA 02146 (US). 

(74) Agent: JUDSON, David, H.; Hughes & Luce, 1717 Main 
Street, Suite 2800, Dallas, TX 75201 (US). 



(81) Designated States: European patent (AT, BE, CH, DE, DK, 
ES, FR, GB, GR, IE, IT, LU, MC, NL, PT, SE). 



Published 

With international search report. 

(88) Date of publication of the international search report: 

19 January 1995 (19.01.95) 



(54) Thle: FAIR CRYFTOSYSTEMS AND METHODS OF USE 



(57) Abstract 

A method, using a public-key 
crypiosystcm, for enabling a 
predetermined entity (18) to 
monitor communications of 
users (12, 14) suspected of 
unlawful activities while 
protecting the privacy of law- 
abiding users, wherein each 
user (12, 14) is assigned a pair 
of matching secret and public 
keys. According to the method, 
each user's secret key is broken 
into shares. The pieces of 
information provided to each 
trustee (22) enable that trustee 
(22) to verify that such 
information includes a "share" 
of a secret key of some given 
public key. Each trustee (22) 
can verify thai the pieces of 
information provided include a ^ n 
share of the secret key without lO' 
interaction with any other 
trustee (22) or by sending 
messages to the user (12, 14). 
Upon a predetermined request 
or condition, e. g., the trustees 
reveal to the entity the shares 
of i he secret key of such user. 




AGENCY 


. 1 . 


COURT 





20 



BNSDOCID: <WO 9426044A3_t_> 



FOR THE PURPOSES OF INFORMATION ONLY 

Codes used to identify States party to the PCT on the front pages of pamphlets publishing international 
applications under the PCT. 



AT 


Austria 


CB 


AU 


Australia 


CE 


BB 


Barbados 


GN 


BE 


Belgium 


GR 


BP 


Burkina Faso 


HU 


BC 


Bulgaria 


IE 


BJ 


Benin 


IT 


BR 


Brazil 


JP 


BV 


Belarus 


KE 


CA 


Canada 


KG 


CF 


Central African Republic 


KP 


CC 


Congo 


KR 


CH 


Switzerland 


CI 


Cole d'l voire 


KZ 


CM 


Cameroon 


LI 


CN 


China 


LK 


CS 


Chechoslovakia 


LU 


CZ 


Czech Republic 


LV 


DE 


Germany 


MC 


DK 


Denmark 


MD 


ES 


Spain 


MC 


Fl 


Finland 


ML 


FR 


France 


MN 


CA 


Gabon 





United Kingdom 

Georgia 

Guinea 

Greece 

Hungary 

Ireland 

Italy 

Japan 

Kenya 

Kyrgystan 

Democratic People's Republic 
of Korea 

Republic or Korea 

Kazakhstan 

Liechtenstein 

Sri Lanka 

Luxembourg 

Latvia 

Monaco 

Republic of Moldova 

Madagascar 

Mali 

Mongolia 



MR 


Mauritania 


MW 


Malawi 


NE 


Niger 


NL 


Netherlands 


NO 


Norway 


NZ 


New Zealand 


PL 


Poland 


PT 


Portugal 


RO 


Romania 


RU 


Russian Federation 


SO 


Sudan 


SE 


Sweden 


SI 


Slovenia 


SK 


Slovakia 


SN 


Senegal 


TD 


Chad 


TC 


Togo 


TJ 


Tajikistan 


TT 


Trinidad and Tohago 


UA 


Ukraine 


US 


United Stales of America 


uz 


Uzbekistan 


VN 


Viet Nam 



BNSDOCID: <WO 9426044A3_I_> 



INTERNATIONAL SEARCH RFPOPT 


International application No. 




PCT/US94/04325 


A. CLASSIFICATION OF SUBJECT MATTER 




IPC(5) :H04K 1/00 




US CL :380/30 




According to International Patent Classification (IPC) or to both national classification and IPC 


B. FIELDS SEARCHED 



Minimum documentation searched (classification system followed by classification symbols) 



U.S. : 380/30 

380/23, 24, 25, 28, 29 

Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 



Electronic data base consulted during the international search (name of data base and, where practicable, search terms used) 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* 



Citation of document, with indication, where appropriate, of the relevant passages 



Relevant to claim No. 



Informatik Spektrum, 1990, Th. Beth, Zur Sicherheitder 
Informationstechnik, PP204-215. See pages 204 & 210. 

Eurocrypt 191 Abstracts, April 19$1, Pedersen, Torben; 
"Distributed Provers with Applications to Undeniable 
Signatures", pp 117-122. See page 118. 



1-6 
1-6 



I I Further documents are listed in the continuation of Box C. Qj] See patent family annex. 



Special cantf oriea of cited document*: 

document deikuof the f encrmi mUOc of the art which m a** conakJercd 
to be put of particular relevance 

earlier donmmi published 00 or after the » t *-"»f-ni| fiiint dale 
doou 



** which may throw doubat 00 priority cam(i) or which it 

cited 10 eatablieb the publication dale of another citation or other 
•pocial roaaoa (a« apeciTied) 

document rtXcmnf lo an oral disclosure, use, cxh&rtioo or other 
document publiahcd prior lo the international filinj dale but klcr than 



T" huer do ru mm t publiabed after ihe mtcraatiooal filing date or priority 

date and not in conflict with the application but cited to understand the 
prsBciple or theory undertyinf the mvcoboo 

"X* document of particular relevance; ate claimed invention cannot be 

considered novel or cannot be considered to involve an inventive step 
when the document ia taken alone 

*Y* document of particular relevance; the claimed invention cannot be 

considered to involve an inventive step when the document ia 
combined with one or more other cuch document!, such combination 
bemf obvioui lo • person skilled m the art 

document member of the same patent family 



Date of the actual completion of the international search 
06 OCTOBER 1994 


Dau» of m&Uing of the international search report 

17 0CTW94 


Name and mailing address of the ISA/US 
Commissioner of Patents and Trademarks 
Box PCT 

Washington. D.C. 20231 
Facsimile No. (703) 305-3230 
Form PCT/lSA/^lft /trrnnH ck/-w\/i.,n, iaa-n* 


Telephone No. O03) 308-0766 



3NSDOCID: <WO 9426044A3_I„> 



